50 MD-102 Exam Questions & Answers 2025 | Endpoint Administrator

---

Domain 1: Prepare Infrastructure for Devices (25–30%)

1.1 Add Devices to Microsoft Entra ID

Q1. You need to join 500 Windows 11 devices to Microsoft Entra ID. The devices must support SSO to on-premises resources and be manageable via Group Policy. Which join type should you use?

• A. Microsoft Entra registered
• B. Microsoft Entra joined
• C. Microsoft Entra hybrid joined
• D. Microsoft Entra cloud-only joined

Answer: C – Microsoft Entra hybrid joined supports SSO to on-premises resources and allows Group Policy management while providing cloud capabilities .

Q2. A user has a personal iPad they want to use for corporate email. The device should NOT be managed by the organization, but corporate data must be protected. Which solution should you implement?

• A. Microsoft Entra joined
• B. Microsoft Entra registered with MAM
• C. Microsoft Entra hybrid joined
• D. Mobile Device Management (MDM) enrollment

Answer: B – Microsoft Entra registered with Mobile Application Management (MAM) allows BYOD scenarios where only corporate apps and data are managed, not the entire device .

Q3. Which PowerShell command should you use to check the device join type status on a Windows client?

• A. dsregcmd /status
• B. Get-MgDevice
• C. Get-ADComputer
• D. az ad device list

Answer: A – dsregcmd /status displays the device registration status including join type, tenant info, and SSO state .

Q4. You need to create a dynamic group that contains all Windows devices joined to Microsoft Entra ID. Which rule syntax should you use?

• A. (device.deviceOSType -eq "Windows")
• B. (device.deviceTrustType -eq "AzureAD")
• C. (device.deviceOSType -contains "Windows") -and (device.deviceTrustType -eq "AzureAD")
• D. (device.managementType -eq "MDM")

Answer: C – You must check both the OS type and the trust type to identify Windows devices specifically joined to Microsoft Entra ID .

Q5. Where should you configure the maximum number of devices a user can join to Microsoft Entra ID?

• A. Microsoft Intune > Device enrollment restrictions
• B. Microsoft Entra ID > Devices > Device settings
• C. Microsoft Entra ID > Security > Conditional Access
• D. Microsoft Endpoint Manager > Tenant administration

Answer: B – The device quota limit is configured in Microsoft Entra ID > Devices > Device settings, with a maximum of 100 devices per user or Unlimited .

---

1.2 Enroll Devices to Microsoft Intune

Q6. You need to enroll 1,000 iOS devices that were purchased through Apple Business Manager. Which enrollment method should you use?

• A. Device Enrollment Program (DEP)
• B. Apple Configurator
• C. Apple School Manager
• D. User-initiated enrollment with Company Portal

Answer: A – Apple Business Manager (formerly DEP) provides automated bulk enrollment for corporate-owned iOS devices with supervised mode .

Q7. Which Android enrollment profile should you use for dedicated devices like kiosks that are locked to a single app or set of apps?

• A. Work profile
• B. Fully managed
• C. Dedicated device (kiosk)
• D. Corporate-owned work profile

Answer: C – Dedicated device enrollment (formerly COSU – Corporate-Owned Single-Use) locks devices to specific apps for kiosk scenarios .

Q8. You need to prevent personal Android devices from enrolling in Intune. Where should you configure this restriction?

• A. Enrollment device platform restrictions
• B. Compliance policies
• C. Conditional Access policies
• D. Device configuration profiles

Answer: A – Enrollment device platform restrictions allow you to block personal devices by platform and ownership type .

Q9. Which Windows 10/11 edition is required for automatic enrollment via Group Policy?

• A. Windows 10/11 Home
• B. Windows 10/11 Pro
• C. Windows 10/11 Enterprise or Education
• D. Windows 10/11 S mode

Answer: C – Automatic MDM enrollment using Group Policy requires Windows 10/11 Enterprise, Education, or Pro (with specific configurations) .

Q10. You need to configure bulk enrollment for 500 Windows devices without user interaction. Which method should you use?

• A. Windows Autopilot
• B. Windows Configuration Designer (WCD) provisioning packages
• C. Group Policy enrollment
• D. User-initiated enrollment

Answer: B – Windows Configuration Designer creates provisioning packages for bulk enrollment scenarios without requiring user interaction or network connectivity during setup .

---

1.3 Implement Identity and Compliance

Q11. Which Intune role should you assign to help desk staff who need to view device inventory and perform remote actions but should NOT be able to modify policies?

• A. Global Administrator
• B. Intune Service Administrator
• C. Help Desk Operator
• D. Endpoint Security Manager

Answer: C – Help Desk Operator provides read-only access to device information and allows remote actions without policy modification rights .

Q12. You need to ensure that only devices with antivirus enabled and up-to-date can access corporate resources. Which solution should you implement?

• A. Device compliance policy only
• B. Conditional Access policy only
• C. Device compliance policy + Conditional Access policy
• D. Endpoint security policy only

Answer: C – Device compliance policies evaluate device health, and Conditional Access policies enforce access controls based on compliance status .

Q13. Which Windows Hello for Business deployment method requires certificates for authentication?

• A. Cloud-only deployment
• B. Hybrid deployment with Key trust
• C. Hybrid deployment with Certificate trust
• D. On-premises deployment with PIN only

Answer: C – Hybrid deployment with Certificate trust requires PKI infrastructure and issues certificates to devices for authentication .

Q14. You need to manage local administrator passwords on Windows 10/11 devices using Windows LAPS. Which prerequisite is required?

• A. Azure AD Premium P1 license
• B. Windows 10/11 Pro or higher
• C. Microsoft Intune license
• D. All of the above

Answer: D – Windows LAPS requires Windows 10/11 Pro/Enterprise/Education, Azure AD Premium P1 (for Azure AD-joined devices), and Intune for policy management .

Q15. Which policy type should you use to add specific users to the local Administrators group on Windows devices managed by Intune?

• A. Custom configuration profile (CSP)
• B. Endpoint security account protection policy
• C. Local user group membership policy (preview)
• D. All of the above

Answer: D – You can use Account protection policies in Endpoint security, custom CSPs with ./Device/Vendor/MSFT/Policy/Config/LocalUsersAndGroups/Configure, or the newer Local user group membership policy .

---

Domain 2: Manage and Maintain Devices (30–35%)

2.1 Deploy and Upgrade Windows Clients

Q16. Which Windows Autopilot deployment mode requires the user to sign in with their Microsoft Entra credentials during OOBE to complete device setup?

• A. Self-deploying mode
• B. White glove provisioning
• C. User-driven mode
• D. Windows Autopilot reset

Answer: C – User-driven mode requires user authentication during OOBE to join Microsoft Entra ID and enroll in Intune .

Q17. You need to deploy Windows 11 to devices that currently run Windows 10. The solution must preserve user data and installed applications. Which deployment method should you use?

• A. Wipe and load
• B. In-place upgrade
• C. Provisioning package
• D. Fresh start

Answer: B – In-place upgrade preserves user data, settings, and applications while upgrading the OS from Windows 10 to Windows 11 .

Q18. Which Windows Autopilot feature allows IT staff to pre-provision devices before delivering them to end users, reducing setup time?

• A. Self-deploying mode
• B. White glove provisioning (pre-provisioning)
• C. User-driven mode with ESP
• D. Autopilot for existing devices

Answer: B – White glove provisioning allows IT to complete device setup and application installation before the user receives the device .

Q19. You need to create a device name template for Windows Autopilot that includes the serial number. Which syntax should you use?

• A. CONTOSO-%SERIAL%
• B. CONTOSO-{{SERIALNUMBER}}
• C. CONTOSO-%SERIALNUMBER%
• D. CONTOSO-{{serialnumber}}

Answer: C – The correct syntax uses %SERIALNUMBER% (all caps) as the variable for device serial number in Autopilot profiles .

Q20. Which component of the Enrollment Status Page (ESP) tracks the installation of required applications during device setup?

• A. Device preparation
• B. Device setup
• C. Account setup
• D. All of the above

Answer: B – The Device setup phase tracks the enrollment status and required application installations during the ESP process .

Q21. You need to deploy a Windows 365 Cloud PC to a user. Which license is required for the user?

• A. Microsoft 365 E3
• B. Windows 10/11 Enterprise E3
• C. Windows 365 Business or Enterprise license
• D. Microsoft Intune license only

Answer: C – Windows 365 requires specific Windows 365 licenses (Business or Enterprise) in addition to base licensing .

Q22. Which tool should you use to create a provisioning package for Windows 10/11 devices?

• A. Windows Configuration Designer
• B. Microsoft Deployment Toolkit (MDT)
• C. System Center Configuration Manager
• D. Windows Assessment and Deployment Kit (ADK)

Answer: A – Windows Configuration Designer (WCD) is the modern tool for creating provisioning packages for Windows client deployment .

Q23. You need to ensure that Windows 11 feature updates are deferred for 30 days after release. Which Intune policy should you configure?

• A. Windows Update for Business – Feature updates
• B. Windows Update for Business – Quality updates
• C. Update rings for Windows 10 and later
• D. Driver updates

Answer: C – Update rings allow you to configure deferral periods for both feature and quality updates .

Q24. Which Windows 11 hardware requirement blocks upgrades from Windows 10 on older devices?

• A. 4 GB RAM minimum
• B. TPM 2.0
• C. 64 GB storage minimum
• D. DirectX 12 compatible GPU

Answer: B – TPM 2.0 is the most common hardware requirement that blocks Windows 11 upgrades on older Windows 10 devices .

Q25. You need to deploy Windows 11 to devices that are not currently managed by Intune. Which Windows Autopilot feature supports this scenario?

• A. Windows Autopilot for pre-provisioned deployment
• B. Windows Autopilot for existing devices
• C. Windows Autopilot self-deploying mode
• D. Windows Autopilot reset

Answer: B – Windows Autopilot for existing devices allows you to register and deploy Windows 11 to devices already running Windows 10 without wiping them .

---

2.2 Plan and Implement Device Configuration Profiles

Q26. You need to configure a setting that is not available in the Settings Catalog. Which alternative should you use?

• A. Administrative Templates
• B. Custom configuration profile with OMA-URI
• C. Endpoint security policy
• D. Compliance policy

Answer: B – Custom configuration profiles using OMA-URI settings allow you to configure any CSP (Configuration Service Provider) setting not exposed in the UI .

Q27. Which file format is used to import custom ADMX templates into Microsoft Intune?

• A. .admx and .adml files
• B. .xml files only
• C. .json files
• D. .cab files

Answer: A – ADMX files contain the policy definitions and ADML files contain the language-specific resources; both are required .

Q28. You need to apply a device configuration profile only to devices in the Marketing department. Which feature should you use?

• A. Dynamic device groups only
• B. Assignment filters
• C. Scope tags
• D. Administrative units

Answer: B – Assignment filters allow you to target policies based on device properties without creating complex dynamic groups .

Q29. Which configuration profile type should you use to configure email settings for iOS devices?

• A. Device features
• B. Email
• C. VPN
• D. Custom

Answer: B – The Email configuration profile type specifically handles email account configuration for iOS and other platforms .

Q30. You need to configure Microsoft Defender Antivirus settings for Windows devices. Which profile type is most appropriate?

• A. Device restriction profile
• B. Endpoint security antivirus policy
• C. Custom configuration profile
• D. Administrative Templates

Answer: B – Endpoint security policies provide purpose-built templates for antivirus, firewall, and other security settings .

Q31. Which macOS enrollment method is required to deploy device configuration profiles?

• A. User enrollment
• B. Device enrollment
• C. Automated Device Enrollment (ADE)
• D. All of the above

Answer: C – Automated Device Enrollment (formerly DEP) is required for supervised mode, which enables full device configuration management .

Q32. You need to configure settings for Azure Virtual Desktop multi-session hosts. Which profile type should you use?

• A. Windows 10 and later
• B. Windows 10 Team
• C. Enterprise multi-session
• D. Windows 365

Answer: C – Enterprise multi-session profiles are specifically designed for Azure Virtual Desktop multi-session scenarios .

Q33. Which Windows CSP path is used to configure Start menu layout?

• A. ./Vendor/MSFT/Policy/Config/Start/StartLayout
• B. ./Device/Vendor/MSFT/Policy/Config/Start/ConfigureStartPins
• C. ./Device/Vendor/MSFT/StartLayout/StartLayout
• D. Both B and C

Answer: D – Both ConfigureStartPins (for Windows 11) and StartLayout (for Windows 10) CSPs are used for Start menu customization .

Q34. You need to block USB storage devices on Windows devices. Which policy type should you use?

• A. Device restriction profile
• B. Endpoint security disk encryption policy
• C. Administrative Templates (ADMX)
• D. Both A and C

Answer: D – USB restrictions can be configured through Device restrictions or through ADMX templates (Removable Storage Access) .

Q35. Which filter rule property can you use to target devices based on their enrollment profile?

• A. device.enrollmentProfileName
• B. device.enrollmentType
• C. device.managementType
• D. device.deviceCategory

Answer: A – device.enrollmentProfileName allows targeting based on the specific enrollment profile used during device setup .

---

2.3 Implement Intune Suite Add-on Capabilities

Q36. Which Intune Suite add-on allows you to elevate standard users to local administrators for specific approved applications?

• A. Microsoft Tunnel for MAM
• B. Endpoint Privilege Management
• C. Remote Help
• D. Advanced Analytics

Answer: B – Endpoint Privilege Management (EPM) enables just-in-time elevation for standard users on a per-application basis .

Q37. You need to provide remote assistance to users on managed devices. Which Intune Suite feature should you implement?

• A. TeamViewer
• B. Remote Help
• C. Quick Assist
• D. Remote Desktop

Answer: B – Remote Help is the Intune Suite add-on specifically designed for secure remote assistance with role-based access control .

Q38. Which feature of Microsoft Intune Advanced Analytics provides proactive insights into device health and performance?

• A. Device query
• B. Anomaly detection
• C. Battery health reporting
• D. All of the above

Answer: D – Advanced Analytics includes anomaly detection, battery health reporting, and enhanced device query capabilities .

Q39. You need to deploy a line-of-business app that is not available in public app stores. Which Intune Suite feature provides a curated catalog of enterprise applications?

• A. Microsoft Store for Business
• B. Enterprise App Catalog
• C. Winget integration
• D. App Wrapping Tool

Answer: B – The Enterprise App Catalog provides pre-packaged, enterprise-ready applications that can be easily deployed through Intune .

Q40. Which scenario requires Microsoft Tunnel for MAM?

• A. Managing iOS devices with full MDM enrollment
• B. Providing secure access to on-premises resources for unenrolled devices with managed apps
• C. Deploying VPN profiles to Android Enterprise devices
• D. Configuring Wi-Fi profiles for Windows devices

Answer: B – Microsoft Tunnel for MAM enables secure access to on-premises resources for devices that are not MDM-enrolled but have managed apps (MAM-WE) .

---

2.4 Perform Remote Actions on Devices

Q41. Which remote action should you use to remove all company data and settings from a device while keeping personal data intact?

• A. Retire
• B. Wipe
• C. Delete
• D. Fresh Start

Answer: A – Retire removes company data and management but preserves personal data; Wipe performs a factory reset .

Q42. You need to force a device to check in with Intune immediately to receive new policies. Which remote action should you use?

• A. Sync
• B. Restart
• C. Refresh device actions
• D. Reboot

Answer: A – The Sync action forces an immediate device check-in with the Intune service .

Q43. Which PowerShell command can you use to rotate BitLocker recovery keys for a managed device?

• A. Invoke-MgGraphRequest with rotateBitLockerKeys
• B. Update-MgDeviceManagementManagedDevice -BitLockerKeyRotationEnabled $true
• C. Remote action through Intune admin center only
• D. Both A and C

Answer: D – BitLocker key rotation can be performed via the Intune admin center or programmatically through Microsoft Graph API .

Q44. You need to run a query to find devices with low disk space across your tenant. Which feature should you use?

• A. Device inventory reports
• B. Device query with KQL
• C. Log Analytics queries
• D. Export device list to CSV

Answer: B – Device query using Kusto Query Language (KQL) allows real-time querying of device properties across the tenant .

Q45. Which bulk remote action is available for device management in Intune?

• A. Bulk retire
• B. Bulk wipe
• C. Bulk delete
• D. All of the above

Answer: D – Intune supports bulk actions for retire, wipe, delete, restart, and sync operations on multiple devices simultaneously .

---

Domain 3: Manage Applications (15–20%)

3.1 Deploy and Update Apps

Q46. You need to deploy a Win32 application that requires a specific registry key to be present before installation. Which deployment feature should you use?

• A. Dependency
• B. Requirement rule
• C. Detection rule
• D. Supersedence

Answer: B – Requirement rules verify prerequisites (like registry keys, file existence, or OS version) before attempting installation .

Q47. Which tool should you use to create a customized Microsoft 365 Apps installation package for deployment via Intune?

• A. Office Deployment Tool (ODT)
• B. Office Customization Tool (OCT)
• C. Microsoft 365 Apps admin center
• D. All of the above

Answer: D – ODT and OCT are used for package creation, and the Microsoft 365 Apps admin center provides cloud-based management and deployment capabilities .

Q48. You need to ensure that an updated version of an app automatically replaces the older version on managed devices. Which feature should you configure?

• A. App dependencies
• B. App supersedence
• C. App requirements
• D. App configuration policies

Answer: B – Supersedence relationships define that a new app version replaces an older version, optionally uninstalling the old version first .

Q49. Which iOS app type should you use to deploy apps purchased through Apple Business Manager?

• A. iOS store app
• B. iOS VPP app (Volume Purchase Program)
• C. Web app
• D. Built-in iOS app

Answer: B – iOS VPP apps are deployed through Apple Business Manager (formerly VPP) and support device licensing for corporate-owned devices .

Q50. You need to configure Outlook mobile app settings for managed devices. Which policy type should you use?

• A. App protection policy
• B. App configuration policy (managed devices)
• C. App configuration policy (managed apps)
• D. Device configuration profile

Answer: B – App configuration policies for managed devices push configuration settings to apps on MDM-enrolled devices .

---

Domain 4: Protect Devices (15–20%)

4.1 Configure Endpoint Security

Q51. Which Attack Surface Reduction (ASR) rule blocks Office applications from creating child processes?

• A. Block Office applications from creating executable content
• B. Block Office applications from creating child processes
• C. Block Office communication application from creating child processes
• D. Block all Office applications from injecting code into other processes

Answer: B – The “Block Office applications from creating child processes” ASR rule prevents Office apps from spawning child processes, mitigating macro-based attacks .

Q52. You need to ensure that Windows Defender Firewall is enabled and configured on all managed Windows devices. Which policy type should you use?

• A. Device configuration profile
• B. Endpoint security firewall policy
• C. Compliance policy
• D. Both A and B

Answer: D – Firewall settings can be configured through both Device configuration profiles (custom CSP) or Endpoint security firewall policies (recommended) .

Q53. Which Microsoft Defender for Endpoint component provides automated investigation and remediation of threats?

• A. Defender Antivirus
• B. Defender SmartScreen
• C. Automated investigation and remediation (AIR)
• D. Attack surface reduction

Answer: C – AIR capabilities in Defender for Endpoint automatically investigate alerts and can remediate threats without admin intervention .

Q54. You need to onboard devices to Microsoft Defender for Endpoint using Intune. Which profile type should you use?

• A. Endpoint detection and response (EDR)
• B. Microsoft Defender for Endpoint
• C. Security baselines
• D. Both A and B

Answer: D – You can use the dedicated Microsoft Defender for Endpoint profile or configure EDR settings through Endpoint security policies .

Q55. Which security baseline provides pre-configured security settings for Windows 10/11 devices?

• A. MDM Security Baseline
• B. Microsoft Defender for Endpoint baseline
• C. Both A and B
• D. Windows 10/11 Security Baseline

Answer: C – Intune provides both the MDM Security Baseline and the Microsoft Defender for Endpoint baseline for comprehensive security configuration .

---

4.2 Manage Device Updates

Q56. You need to create an update ring that deploys feature updates to a pilot group immediately but defers them for 30 days for the broad group. Which setting should you configure?

• A. Servicing channel
• B. Feature update deferral period
• C. Quality update deferral period
• D. Maintenance window

Answer: B – Feature update deferral periods control how many days after release that feature updates are offered to devices .

Q57. Which Windows Update for Business servicing channel provides feature updates as soon as they are available?

• A. General Availability Channel
• B. Targeted channel
• C. Insider Preview
• D. Long-term Servicing Channel (LTSC)

Answer: B – The Targeted channel (formerly Semi-Annual Channel Targeted) provides feature updates immediately upon release for pilot users .

Q58. You need to optimize bandwidth usage for Windows updates across multiple branch offices. Which feature should you implement?

• A. Delivery Optimization
• B. BranchCache
• C. Background Intelligent Transfer Service (BITS)
• D. Windows Server Update Services (WSUS)

Answer: A – Delivery Optimization allows peer-to-peer sharing of update content between devices on the same network, reducing internet bandwidth usage .

Q59. Which update policy type should you use to manage iOS/iPadOS updates in Intune?

• A. Update rings
• B. Software updates
• C. Feature updates
• D. iOS update policy

Answer: D – iOS/iPadOS uses specific update policies (Policies > Software updates > iOS/iPadOS) rather than Windows-style update rings .

Q60. You need to monitor update compliance across all device platforms in Intune. Which report should you use?

• A. Windows Update for Business reports
• B. Software updates report
• C. Device compliance report
• D. All of the above

Answer: D – Intune provides platform-specific update reports including Windows Update for Business reports, software update status, and overall device compliance reporting .

---

Exam Tips Summary

Based on the January 2026 exam update :

1. Focus on new features: Windows LAPS, Endpoint Privilege Management, Remote Help, Advanced Analytics, and Cloud PKI are emphasized
2. Cross-platform knowledge: Expect questions on iOS, Android, macOS, and Windows management
3. Automation: PowerShell and Microsoft Graph API scenarios are increasingly common
4. Integration: Understand how Intune integrates with Microsoft Entra ID, Defender for Endpoint, and Windows 365
5. Troubleshooting: Know how to resolve enrollment, policy application, and update issues

These questions cover all four exam domains with emphasis on the most current objectives as of the January 23, 2026 exam update .